Platform / Module

ShroudNet

The internal mesh. Not something customers connect to directly.

ShroudNet is the private network that connects Katafract's servers to each other. It is not a customer-facing product. When we refer to "the mesh" anywhere else on this site, we mean ShroudNet.

What it is

A WireGuard-based overlay network running on private address space. Every Katafract server — the control plane, the data layer, the VPN exit nodes, the storage nodes — joins the mesh and receives a stable internal address. Services talk to each other over this mesh rather than the public internet.

We run our own mesh control plane. It assigns addresses, authorizes nodes onto the network, and publishes routes. Enrollment is out-of-band: a new node has to be manually approved before it can talk to anything internal.

How it works

WireGuard's handshake is Noise IKpsk2. Each node holds a static Curve25519 keypair; sessions are rekeyed every 2 minutes of traffic or 120 seconds of silence. The payload cipher is ChaCha20-Poly1305 with a 128-bit authentication tag. There is no TLS, no certificate chain, and no fallback to a weaker cipher — WireGuard deliberately has one option.

Every node runs a metrics exporter bound to its mesh address. The monitoring host pulls metrics over the mesh. Nothing in that monitoring flow is exposed on the public internet.

The control plane exposes an internal-only HTTP endpoint on its mesh address for node heartbeats. Each VPN node POSTs a heartbeat every 30 seconds with a signed token. Heartbeats that fail the signature check are dropped.

Isolation

Customer WireGuard tunnels — the ones WraithVPN opens — terminate on WraithGate exit nodes. Those tunnels are not on ShroudNet. On each exit node, iptables enforces that customer WireGuard traffic may only exit to the public internet: packets from the customer interface to any mesh address are dropped. The two networks share a physical server but are kernel-isolated.

This means a customer connected to a WraithGate node cannot see other customers on the same node, cannot reach the mesh, and cannot reach other Katafract servers. Peer-to-peer between customer endpoints is blocked at the node.

What Katafract can see

Node-to-node traffic — we operate both endpoints, so the packets are ours by definition. Contents are application-layer metrics, heartbeats, database replication, storage-cluster RPC, and similar infrastructure traffic.
Node presence — whether each server is online and reachable over the mesh. We monitor this continuously.
Node-level resource usage — CPU, memory, disk, bandwidth, per server, aggregated by our metrics stack.

What Katafract cannot see via ShroudNet

ShroudNet does not carry customer packet payloads. Customer VPN traffic transits WraithGate's public interface and egresses directly to the internet — it never enters the mesh.
A compromised VPN exit node cannot pivot to other Katafract servers over the mesh without also stealing a WireGuard static key from disk. iptables and key separation are both enforced.

What this means for you

ShroudNet is infrastructure plumbing. The reason it exists on a customer-facing site at all is that people ask how our servers authenticate each other and whether our monitoring can see inside their tunnels. The answer is: our servers authenticate over a separate encrypted mesh with its own keys, and customer tunnels are isolated from that mesh at the kernel level.

Back to all modules.